Cryptographic Services API Algorithm Enhancements

The IBM i Cryptographic Services APIs used for encryption, decryption, and hash operations support additional algorithms.

The new Key Derivation Function (QC3KDF) API features the NIST-recommended Password Based Key Derivation Function 2 (PBKDF-2) algorithm for password hashing. 

It derives keying material from passwords, master keys, or other secret values. This keying material can then be used to create key context tokens with the Create Key Context API (QC3CRTKX, Qc3CreateKeyContext).

New Elliptical Curve (ECC) key types available to use with keystores and multiple existing APIs.

• x25519
• x448
• ed25519
• ed448

The x25519 and x448 key types can be utilized with the Generate Elliptic Curve Diffie-Hellman Key Pair (QC3GENECDK, Qc3GenECDHKeyPair) API to create a Diffie-Hellman private/public key pair. Subsequently, this key pair can be used with the Calculate Diffie-Hellman Secret Key (QC3CALDS, Qc3CalculateDHSecretKey) API to produce the shared secret key.

The ed25519 and ed448 key types can be used with the Generate ECC Key Pair (QC3GENECC, Qc3GenECCKeyPair) API to produce private/public key pairs for use with the Edwards-curve Digital Signature Algorithm (EdDSA). EdDSA is now supported by the Calculate Signature (QC3CALSG, Qc3CalculateSignature) and Verify Signature (QC3VFYSG, Qc3VerifySignature) APIs.

New symmetric key types available to use with keystores and multiple existing APIs

• ChaCha20
• Poly1305
• SHA3-224, SHA3-256, SHA3-384 and SHA3-512

The Encrypt With MAC (QC3ENCWM, Qc3EncryptWithMAC) and Decrypt With MAC (QC3DECWM, Qc3DecryptWithMAC) APIs now support the ChaCha20/Poly1305 Authenticated Encryption with Additional Data (AEAD) algorithm. Poly1305 is also a new algorithm option with the Calculate MAC (QC3CALMA, Qc3CalculateMAC) API.